Hello, Gmelius Community! On the 25th of May, 2018, the EU General Data Protection Regulation (GDPR) came into effect.
This is not something new; a data protection legislation in the EU has been active for over two decades! The eight data protection principles of the 1995 EU Data Protection Directive, have been since governing the treatment of personal data by companies/organizations in the EU, and the new GDPR actually builds on these principles and enhances them.
Whether you’re a B2B or B2C, big or small, headquartered in the EU or not, we recommend you to familiarise yourself with the changes under the GDPR.
Here is, therefore, an overview of the regulation and its implications, to help you get started.
Please kindly note this is for general information and is not intended to constitute legal advice. We encourage you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific obligations under the GDPR.
GDPR stands for General Data Protection Regulation. It regulates how companies can collect, process, and use personal data from EU individuals. It also dictates how companies must respond in the case of a data breach and/or a request from an EU resident to have his or her data deleted.
It’s primarily a set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways.
The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, e.g., a name, a national ID number, an address, or even an IP address.
The new Regulation requires for personal data:
The territorial scope of the GDPR is far broader and applies not only to EU-based businesses but also to any company/organization that controls or processes data of EU citizens and residents.
In particular, it even applies to non-EU businesses who either market their products to people in the EU or monitor the behavior of people in the EU.
In other words, even if you’re based outside of the EU, but you control or process the data of EU citizens and residents, the GDPR applies to you too, that means essentially that any company with an online presence may be impacted.
Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. Moreover, the UK has drafted legislation to update their current Data Protection Act to the standards of the GDPR, currently going through the Parliament.
It all comes down to your role in managing user data.
Source: F-Secure — https://business.f-secure.com/quick-guide-to-gdpr-concepts
You are a data controller if your company / organization collects people’s personal data and makes decisions about what to do with it.
You are a data processor if your company / organization doesn’t decide what to do with the data but processes said data based on the instructions given by the controller.
You could be assigned both roles and act simultaneously as controllers and processors. For instance, Gmelius acts as a data processor for its users by offering its CRM solution but also acts as a data controller when members of the Gmelius team interact with clients or partners.
Regardless of your role, you need to put processes in place to follow through on requests from your users regarding their personal data and comply with applicable data privacy legislation accordingly.
It is worth mentioning that your users in the EU have the right to access their own personal data. They can request a copy of their data, request that their data be updated, deleted, restricted, or transported to another organization.
The full legislation text can be accessed here.
We made these important changes, summarized below, with the aim to empower you to make the best decisions about the information that you share with us.